Systems and methods for facilitating seamless authentication of application development platforms

ABSTRACT

Various embodiments concern mechanisms for facilitating communication between network-accessible platforms for developing, hosting, or running hybrid applications that utilize resources hosted across multiple platforms. Hybrid applications cause messages or “calls” to be passed between the platforms that must be authenticated. For example, when a call is placed by a Heroku platform to a Force.com platform, the call must be authenticated for security purposes. If Heroku has not already been authenticated when the call is submitted, an authentication process is invoked. An event listener can be used to register details regarding the initial callout task, and then register or “fire” an event when the authentication process is successfully completed. Registration of the initial callout task completely separates the authentication process from the resource being invoked. Requests can be completed without requiring further user input using at least some of the details registered by the event listener.

CROSS-REFERENCE TO RELATED APPLICATIONS

This nonprovisional patent application is a continuation of U.S. patentapplication Ser. No. 17/684,388, filed Mar. 1, 2022, and titled,“SEAMLESS AUTHENTICATION FOR AN APPLICATION DEVELOPMENT PLATFORM,” whichis a continuation of U.S. patent application Ser. No. 16/432,086, filedJun. 5, 2019, now U.S. Pat. No. 11,265,304, and titled, “SEAMLESSAUTHENTICATION FOR AN APPLICATION DEVELOPMENT PLATFORM,” U.S. patentapplication Ser. No. 16/432,086 is a continuation application of U.S.patent application Ser. No. 15/869,451, filed Jan. 12, 2018, now U.S.Pat. No. 10,348,716 and titled, “SEAMLESS AUTHENTICATION FOR ANAPPLICATION DEVELOPMENT PLATFORM,” U.S. patent application Ser. No.15/869,451 is a continuation application of U.S. patent application Ser.No. 15/189,218, filed Jun. 22, 2016, now U.S. Pat. No. 9,900,302 andtitled, “SEAMLESS AUTHENTICATION FOR AN APPLICATION DEVELOPMENTPLATFORM,” each of which are herein incorporated by reference in theirentirety for all purposes.

FIELD

Various embodiments relate generally to techniques for facilitatingcommunication between network-accessible platforms and, morespecifically, to techniques for facilitating authentication ofapplication development platforms.

BACKGROUND

Salesforce is a cloud computing company that offers various customerrelationship management (CRM) products and social enterprise (e.g.,social networking) solutions. Companies offering CRM services, such asSalesforce, can provide entities with an interface for case managementand task management, as well as a system for automatically routing andescalating important events. The Salesforce platform also enablesindividual customers to track their own cases. In some instances, theSalesforce platform includes a social networking add-on application(also referred to as a “plug-in”) that allows the Salesforce platform toread conversations on social networking websites, analyze emails, chatmessages, search engine queries, etc.

Force.com® and Heroku®, meanwhile, are development platforms that can beused by developers to build and run applications entirely in the cloud.For example, Force.com applications could be hosted on the architectureof the Salesforce platform and are typically built using Apex, which isa proprietary Java-like programming language. However, some hybridapplications utilize resources (e.g., data or processes) hosted bymultiple platforms. For instance, an application supported by the Herokumay request resources from Force.com (or vice versa). It is oftendesirable to link to external services and external sources of data whendeveloping hybrid applications for the Salesforce platform.

SUMMARY

Systems and techniques are described herein for facilitatingcommunication between network-accessible platforms for developing,hosting, and/or running hybrid applications that utilize resources(e.g., data or processes) hosted across multiple platforms. Whenbuilding a hybrid application that spans multiple platforms, messages or“calls” are passed between the platforms that must be authenticated. Forexample, when a Hypertext Transfer Protocol (HTTP) request is submittedfrom a Heroku platform to a Force.com platform, the request must beauthenticated for security purposes. If the platforms have not alreadyauthenticated one another, an authentication process is invoked.

Conventionally, an application executed by a user device (e.g., a mobilephone, tablet, or personal computer) would have to resubmit the requestfor a resource upon successful completion of the authentication process.Mechanisms are described herein that allow the original request to becompleted without requiring further user interaction (i.e., withoutrequesting the application resubmit the original request).

More specifically, the mechanisms make use of an event listener thatregisters the initial request (also referred to as a “callout task”),and then registers or “fires” an event when the authentication processis successfully completed. Registration of the initial request separatesthe authentication process from the process or data being invoked. Thus,the authentication flow has no knowledge of the resource being invoked.

BRIEF DESCRIPTION OF THE DRAWINGS

One or more embodiments of the present invention are illustrated by wayof example and not limitation in the figures of the accompanyingdrawings, in which like references indicate similar elements.

FIG. 1 depicts a high-level view of a network environment in which aHeroku platform facilitates execution of an application on a userdevice.

FIG. 2 depicts a flow diagram of a conventional authentication processthat is used by an application executing on a user device to obtainaccess to a resource server.

FIG. 3 depicts a network environment in which a Heroku platformcommunicates with a Force.com platform.

FIG. 4 depicts a flow diagram of an authentication process that, uponcompletion, allows a client server to request resources from a resourceserver.

FIG. 5 depicts a process for completing an initial call for a resource(e.g., data or a process) that was made by an application.

FIG. 6 is a block diagram illustrating an example of a processing systemin which at least some operations described herein can be implemented.

DETAILED DESCRIPTION

Systems and techniques are described herein for facilitatingcommunication between network-accessible platforms for developing,hosting, and/or running hybrid applications that utilize resources(e.g., data or processes) hosted across multiple platforms. Hybridapplications cause messages or “calls” to be passed between theplatforms that must be authenticated for security purposes. If theplatforms have not already authenticated one another, an authenticationprocess is invoked.

Conventionally, an application executed by a user device (e.g., a mobilephone, tablet, or personal computer) would have to resubmit the requestfor a resource upon successful completion of the authentication process.Described herein are mechanisms that make use of an event listener thatregisters details regarding the initial request, and then registers or“fires” an event when the authentication process is successfullycompleted. Requests can be completed on behalf of the applicationwithout requiring further user input by resubmitting the request usingat least some of the details registered by the event listener.

Certain network-accessible platforms (e.g., Heroku and Force.com) arementioned herein for the purposes of illustration. Othernetwork-accessible platforms could also be used to run an application orhost resources required by the application. The application may beaccessible via one or more of a web browser, mobile application,software program, or over-the-top (OTT) application. Accordingly, theapplication may be accessed using any appropriate network-accessibleelectronic device, such as a mobile phone, tablet, personal computer,game console (e.g., Sony PlayStation® or Microsoft Xbox®), music player(e.g., Apple iPod Touch®), wearable electronic device (e.g., a watch orfitness band), network-connected (“smart”) device (e.g., television),virtual/augmented reality system (e.g., Oculus Rift® or MicrosoftHololens®), or some other electronic device.

Terminology

Brief definitions of terms, abbreviations, and phrases used throughoutthis application are given below.

Reference in this specification to “one embodiment” or “an embodiment”means that a particular feature, structure, or characteristic describedin connection with the embodiment is included in at least one embodimentof the disclosure. The appearances of the phrase “in one embodiment” invarious places in the specification are not necessarily all referring tothe same embodiment, nor are separate or alternative embodimentsnecessarily mutually exclusive of other embodiments. Moreover, variousfeatures are described that may be exhibited by some embodiments and notby others. Similarly, various requirements are described that may berequirements for some embodiments and not for others.

Unless the context clearly requires otherwise, throughout thedescription and the claims, the words “comprise,” “comprising,” and thelike are to be construed in an inclusive sense, as opposed to anexclusive or exhaustive sense; that is to say, in the sense of“including, but not limited to.” As used herein, the terms “connected,”“coupled,” or any variant thereof means any connection or coupling,either direct or indirect, between two or more elements; the coupling ofor connection between the elements can be physical, logical, or acombination thereof. For example, two components may be coupled directlyto one another or via one or more intermediary channels or components.As another example, devices may be coupled in such a way thatinformation can be passed there between, while not sharing any physicalconnection with one another. Additionally, the words “herein,” “above,”“below,” and words of similar import shall refer to this specificationas a whole and not to any particular portions of this specification.Where the context permits, words in the Detailed Description using thesingular or plural number may also include the plural or singular numberrespectively. The word “or,” in reference to a list of two or moreitems, covers all of the following interpretations of the word: any ofthe items in the list, all of the items in the list, and any combinationof the items in the list.

If the specification states a component or feature “may,” “can,”“could,” or “might” be included or have a characteristic, thatparticular component or feature is not required to be included or havethe characteristic.

The term “module” refers broadly to software, hardware, or firmwarecomponents. Modules are typically functional components that cangenerate useful data or other output using specified input(s). A modulemay or may not be self-contained. An application program (also called an“application”) may include one or more modules, or a module can includeone or more application programs.

The terminology used in the Detailed Description is intended to beinterpreted in its broadest reasonable manner, even though it is beingused in conjunction with certain examples. The terms used in thisspecification generally have their ordinary meanings in the art, withinthe context of the disclosure, and in the specific context where eachterm is used. For convenience, certain terms may be highlighted by usingcapitalization, italics, and/or quotation marks. The use of highlightinghas no influence on the scope and meaning of a term; the scope andmeaning of a term is the same, in the same context, whether or not it ishighlighted. It will be appreciated that an element or feature can bedescribed in more than one way.

Consequently, alternative language and synonyms may be used for some ofthe terms discussed herein, and special significance is not to be placedon whether or not a term is elaborated or discussed herein. Synonyms forcertain terms are provided. A recital of one or more synonyms does notexclude the use of other synonyms. The use of examples anywhere in thisspecification, including examples of any terms discussed herein, isintended to be illustrative only and is not intended to further limitthe scope and meaning of the disclosure or of any exemplified term.Likewise, the disclosure is not limited to the various embodiments givenin this specification.

System Overview

FIG. 1 depicts a high-level view of a network environment 100 in which aHeroku platform 102 facilitates execution of an application 118 on auser device 116. The Heroku platform 102 (which may also be referred toas a “Heroku environment”) can include a programming environment 104 andan application programming interface (API) 108. Other components couldalso be included as part of the Heroku platform 102. For example, theHeroku platform 102 could also include one or more internal databases106.

Together, these components are used to develop and support anapplication 118 that is executed by a user device 116, such as a mobilephone, tablet, or personal computer. When executed by the operatingsystem of the user device 116, the application 118 generates anapplication interface 120 that a user can view and interact with (e.g.,by providing user input).

Applications developed using the Heroku platform 102 may be hybridapplications that utilize resources (e.g., data or processes) hostedacross multiple platforms. For example, the Heroku platform 102 couldcommunicate with an external service 110 using the API 108 and request aresource 112 hosted by the external service 110. Hybrid applicationscause messages or “calls” to be passed between the platforms andservices that must be authenticated. The platforms/services can beconnected to one another across one or more networks 114, such as theInternet, Bluetooth, a local area network (LAN), a wide area network(WAN), a point-to-point dial-up connection, etc.

Hybrid applications are able to make use of resources that are notstored locally by the Heroku platform 102. The API 108 (e.g., a HerokuPlatform API) allows these resources to be programmatically automated,extended, and combined with services offered by the Heroku platform 102.Said another way, the API 108 seamlessly interfaces and integrates theHeroku platform 102 with the external service 110 (e.g., Force.com). Theresources of the external service can then be made available to theHeroku platform 102. For example, data or processes could be used withinthe programming environment 104 of the Heroku platform 102.

The programming environment 104 is responsible for supporting theapplication 118 and can respond to user input received at theapplication interface 120 presented by the user device 116. Theapplication interface 120 could be used for case management and taskmanagement, as well as for automatically routing and escalatingimportant events. Alternatively, the application interface 120 could beused to track the status of individual cases or projects.

As further described below, the application interface 120 may support anadditional functionality that is enabled by the external service 110accessible to the Heroku platform 102. For example, a financialmanagement application may allow a user (e.g., a company or a customer)to track and organize information that is retrieved from a Force.complatform. The information could be related to accounting, billing,professional services automation (PSA), revenue recognition, humancapital management (HCM), supply chain management (SCM), etc.

Each hybrid application may also be described as a cloud-based solutionthat is developed for Heroku or Force.com. Each of these is considered aplatform-as-a-service (PaaS) that allows developers to createmultitenant applications that can be integrated into a Salesforceplatform. Hybrid applications that make use of both Heroku and Force.comcould be built using Apex (a proprietary Java-like programminglanguage), Visualforce (a component-based user interface framework thatincludes a tag-based markup language similar to HTML), Ruby, Java,Node.js, Scala, Clojure, Python, PHP, Go, etc.

FIG. 2 depicts a flow diagram of a conventional authentication processthat is used by an application executing on a user device to obtainaccess to a resource server. More specifically, the application maysubmit a request for service to a client server that requiresresource(s) hosted by the resource server. The resource server andclient server could be associated with different services. For example,the client server could be associated with Heroku, while the resourceserver may be associated with Force.com.

When the client server determines that the request requires a resource(e.g., data or process) hosted by the resource server, an authenticationprocess (also referred to as a “web server flow”) is invoked. Onsuccessful completion of the authentication process, the client servermay obtain an authentication token for the resource server from anauthentication server. Here, for example, the client server (e.g., aHeroku platform) submits information to the authorization server toobtain access to the resource server (both of which form part of aForce.com platform).

The process begins with an application executed by a user devicerequesting a service from the client server. The client server respondsby redirecting the application to an authentication server, whichauthenticates the client server. After the authentication server hassuccessfully authenticated the client server, the application isredirected to the client server with a uniform resource locator (URL).

The client server can then extract an authorization code from the URLand send a request directly to the authorization server that includesthe authorization code. The authentication server responds by providingan authentication token for the resource server and/or an address thatcan be used to submit requests directly to the resource server. Forexample, the address may be to an API that provides the client serverwith programmatic access to resources hosted by the resource server. Atthis point, the client server can use the authentication token and/orthe address to authorize requests to access the resource server by theapplication.

However, the client server does not submit the original request to theresource server on behalf of the application. Instead, the client servernotifies the application that the authentication process has beensuccessfully completed, and the application resubmits the initialrequest for the service. Oftentimes, resubmittal requires that a userconfirm the initial request or manually resubmit the request using theapplication interface. Once the request has been resubmitted, the clientserver requests the necessary resource(s) from the resource server usingthe authentication token and/or the address associated with the resourceserver. The resource server then responds to the request (e.g., byproviding the requested data or performing the requested process), andthe client server responds to the application.

FIG. 3 depicts a network environment 300 in which a Heroku platform 302communicates with a Force.com platform 314. The platforms maycommunicate with one another responsive to a hybrid applicationsubmitting a call (e.g., a HTTP request) to the Heroku platform 302 fora resource hosted by the Force.com platform 314.

The Heroku platform 302 can include a programming environment 304, anevent listener module 308, and a Heroku API 310. The Heroku platform 302could also include one or more databases 306 for hosting resources(e.g., data and processes). Similarly, the Force.com platform 314 caninclude a programming environment 316, one or more databases 318, and aForce.com API 320. Together, the Heroku API 310 and the Force.com API320 can communicate directly with one another across a network 312, suchas the Internet, Bluetooth, a local area network (LAN), a wide areanetwork (WAN), a point-to-point dial-up connection, etc.

As noted above, a hybrid application that spans both platforms causesmessages or “calls” to be passed between the Heroku platform 302 and theForce.com platform 314. However, calls passed between the platforms mustbe authenticated. For example, when a call is placed from the Herokuplatform 302 to the Force.com platform 314 (e.g., in response toreceiving an HTTP request for a service from an application), the callmust be authenticated for security purposes. If the Heroku platform 302has not previously been authenticated when the request is submitted, anauthentication process is invoked. For example, the Force.com platform314 may invoke the OAuth 2.0 web server authentication process.

An event listener module 308 is installed on the Heroku platform 302that can completely separate the authentication process from theresource being requested by the hybrid application. Because theauthentication flow has no knowledge of the resource being requested,the Heroku platform 302 can submit the initial request on behalf of theapplication without requiring further user input.

More specifically, the event listener module can register the initialcallout task (e.g., by registering details of the initial callout task),and then register or “fire” an event when the authentication process hasbeen successfully completed. The initial callout task can be resubmittedby the Heroku platform 302 on behalf of the application. Morespecifically, the Heroku platform 302 can pass task parameters to theForce.com platform 314 upon completion of the authentication process.

FIG. 4 depicts a flow diagram of an authentication process that, uponcompletion, allows a client server to request resources from a resourceserver. The resources can be provided to an application that is executedby a user. The application initially submits a request for service tothe client server in response to receiving user input at an applicationinterface presented on a user device. When the application is a hybridapplication, the request may be for data maintained by another serviceor for a process to be performed by another service.

The client server registers details of the request after receiving therequest for service from the application. More specifically, an eventlistener may register a description of the process to be performed, ausername, or an identifier (e.g., an organization identifier or anapplication identifier) that specifies where the request originated. Theevent listener, which is partially or entirely implemented in software,could be programmed in Java. Registration of the details regarding therequest completely separates the authentication process from theresource(s) required to satisfy the request for service.

If the client server has not previously been authenticated by theservice associated with the resource server, an authentication processis invoked. In some embodiments, the authentication process may requirethat the client server communicate with a separate server configured forauthenticating requesting entities (e.g., servers and applications).Here, for example, the client server submits at least some of theregistered information (e.g., the username and identifier) to theauthorization server to obtain access to the resource server. Uponauthenticating the client server, the authentication server responds byproviding an authentication token and/or an address of the resourceserver. The address may be for an API that provides programmatic accessto resources hosted by the resource server.

The event listener registers or “fires” an event when the authenticationprocess has been successfully completed and the client server has beenauthenticated. Responsive to registering the event, the client servercan submit the original request on behalf of the application using atleast some of the details registered by the event listener and theauthentication token or address received from the authentication server.This mechanism allows the original request to be completed withoutrequiring further user input at the application. That is, the user isnot required to provide further user input after submitting the originalrequest, and the application is not required to resubmit the originalrequest. When the request for service is fulfilled by the resourceserver, an appropriate response can then be passed to the application bythe client server.

FIG. 5 depicts a process 500 for completing an initial call for aresource (e.g., data or a process) that was made by an application.Here, for example, the initial call is submitted to a Heroku platformfor a resource that is hosted by a Force.com platform. Although theprocess 500 is described in the context of an application that issupported by a Heroku platform, the process could also be used withother application development platforms.

A request for service is initially received by the Heroku platform thatrequires a resource hosted by the Force.com platform (step 501). Therequest is placed by a hybrid application that spans multiple platforms(here, the Heroku platform and the Force.com platform). Generally, therequest is placed by the hybrid application responsive to receiving userinput at a user interface presented on a user device. The user interfacemay be accessed using any appropriate network-accessible user device,such as a mobile phone, tablet, personal computer, game console (e.g.,Sony PlayStation or Microsoft Xbox), music player (e.g., Apple iPodTouch), wearable electronic device (e.g., a watch or fitness band),network-connected (“smart”) device (e.g., television), virtual/augmentedreality system (e.g., Oculus Rift or Microsoft Hololens), or some otherelectronic device.

The Heroku platform can then register details associated with theinitial request (step 502). More specifically, an event listener (e.g.,a software module programmed in Java) could analyze the initial requestand register certain parameters that may be derived from the initialcall. For example, the event listener could parse initial callparameters and store information learned from said parsing. Theinformation could include a description of the required resource, ausername, or an identifier that specifies where the request originated.

The Heroku platform then determines whether the Force.com platform is aregistered client of the Heroku platform (step 503). That is, the Herokuplatform determines whether it or the Force.com platform has validatedthe other. Responsive to determining the Force.com platform is not aregistered client, an authentication process is invoked (step 504) andat least some of the details associated with the initial request arepassed through the authentication process (step 505). For example, theHeroku platform could pass the username and the identifier to theauthentication process for validation (e.g., by the Force.com platform).

When the authentication process is successfully completed, the eventlistener of the Heroku platform registers or “fires” an event (step506). The Force.com platform may provide the Heroku platform anauthentication token and/or an address to which subsequent calls shouldbe addressed upon successful completion of the authentication process.Because the details were previously registered by the event listener,the initial request and the authentication process are considered to beindependent from one another. After the event has been registered by theevent listener, the Heroku platform resubmits the initial request onbehalf of the application. More specifically, the Heroku platformcompletes the request using at least some of the registered details(e.g., the description of the required resource) and the authenticationtoken and/or address supplied by the Force.com platform (step 507).Thus, the initial request can be completed by the Heroku platformwithout requiring further user input at the application.

Unless contrary to physical possibility, it is envisioned that the stepsdescribed above may be performed in various sequences and combinations.For instance, the Heroku platform may determine whether the Force.complatform is a registered client before registering details regarding theinitial request submitted by the application. Additional steps couldalso be included in some embodiments. For example, the registereddetails could be stored within a database before or after placing a callfor service to the Force.com platform.

Processing System

FIG. 6 is a block diagram illustrating an example of a processing system600 in which at least some operations described herein can beimplemented. The computing system may include one or more centralprocessing units (“processors”) 602, main memory 606, non-volatilememory 610, network adapter 612 (e.g., network interfaces), videodisplay 618, input/output devices 620, control device 622 (e.g.,keyboard and pointing devices), drive unit 624 including a storagemedium 626, and signal generation device 630 that are communicativelyconnected to a bus 616. The bus 616 is illustrated as an abstractionthat represents any one or more separate physical buses, point to pointconnections, or both connected by appropriate bridges, adapters, orcontrollers. The bus 616, therefore, can include, for example, a systembus, a Peripheral Component Interconnect (PCI) bus or PCI-Express bus, aHyperTransport or industry standard architecture (ISA) bus, a smallcomputer system interface (SCSI) bus, a universal serial bus (USB), IIC(I2C) bus, or an Institute of Electrical and Electronics Engineers(IEEE) standard 1394 bus, also called “Firewire.”

The processing system 600 may operate as part of an applicationdevelopment platform or a user device that is used to execute anapplication that is supported by one or more application developmentplatforms (e.g., Heroku or Force.com). Alternatively, the processingsystem 600 could be connected (e.g., wired or wirelessly) to theapplication development platform and/or the user device. In a networkeddeployment, the processing system 600 may operate in the capacity of aserver or a client machine in a client-server network environment, or asa peer machine in a peer-to-peer (or distributed) network environment.

The processing system 600 may be a server computer, a client computer, apersonal computer (PC), a tablet PC, a laptop computer, a personaldigital assistant (PDA), a mobile telephone, an iPhone®, an iPad®, aBlackberry®, a processor, a telephone, a web appliance, a networkrouter, switch or bridge, a console, a hand-held console, a gamingdevice, a music player, or any portable, device or any machine capableof executing a set of instructions (sequential or otherwise) thatspecify actions to be taken by the processing system 600.

While the main memory 606, non-volatile memory 610, and storage medium626 (also called a “machine-readable medium”) are shown to be a singlemedium, the term “machine-readable medium” and “storage medium” shouldbe taken to include a single medium or multiple media (e.g., acentralized or distributed database, and/or associated caches andservers) that store one or more sets of instructions 628. The term“machine-readable medium” and “storage medium” shall also be taken toinclude any medium that is capable of storing, encoding, or carrying aset of instructions for execution by the computing system and that causethe computing system to perform any one or more of the methodologies ofthe presently disclosed embodiments.

In general, the routines executed to implement the embodiments of thedisclosure, may be implemented as part of an operating system or aspecific application, component, program, object, module or sequence ofinstructions referred to as “computer programs.” The computer programstypically comprise one or more instructions (e.g., instructions 604,608, 628) set at various times in various memory and storage devices ina computer, and that, when read and executed by one or more processingunits or processors 602, cause the processing system 600 to performoperations to execute elements involving the various aspects of thedisclosure.

Moreover, while embodiments have been described in the context of fullyfunctioning computers and computer systems, those skilled in the artwill appreciate that the various embodiments are capable of beingdistributed as a program product in a variety of forms, and that thedisclosure applies equally regardless of the particular type of machineor computer-readable media used to actually effect the distribution.

Further examples of machine-readable storage media, machine-readablemedia, or computer-readable (storage) media include, but are not limitedto, recordable type media such as volatile and non-volatile memory 610,floppy and other removable disks, hard disk drives, optical disks (e.g.,Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks(DVDs)), and transmission type media, such as digital and analogcommunication links.

The network adapter 612 enables the processing system 600 to mediatedata in a network 614 with an entity that is external to the processingsystem 600 through any known and/or convenient communications protocolsupported by the processing system 600 and the external entity. Thenetwork adapter 612 can include one or more of a network adaptor card, awireless network interface card, a router, an access point, a wirelessrouter, a switch, a multilayer switch, a protocol converter, a gateway,a bridge, bridge router, a hub, a digital media receiver, and/or arepeater.

The network adapter 612 can include a firewall which can, in someembodiments, govern and/or manage permission to access/proxy data in acomputer network, and track varying levels of trust between differentmachines and/or applications. The firewall can be any number of moduleshaving any combination of hardware and/or software components able toenforce a predetermined set of access rights between a particular set ofmachines and applications, machines and machines, and/or applicationsand applications, for example, to regulate the flow of traffic andresource sharing between these varying entities. The firewall mayadditionally manage and/or have access to an access control list whichdetails permissions including for example, the access and operationrights of an object by an individual, a machine, and/or an application,and the circumstances under which the permission rights stand.

As indicated above, the techniques introduced here implemented by, forexample, programmable circuitry (e.g., one or more microprocessors),programmed with software and/or firmware, entirely in special-purposehardwired (i.e., non-programmable) circuitry, or in a combination orsuch forms. Special-purpose circuitry can be in the form of, forexample, one or more application-specific integrated circuits (ASICs),programmable logic devices (PLDs), field-programmable gate arrays(FPGAs), etc.

Remarks

The foregoing description of various embodiments has been provided forthe purposes of illustration and description. It is not intended to beexhaustive or to limit the claimed subject matter to the precise formsdisclosed. Many modifications and variations will be apparent to oneskilled in the art. Embodiments were chosen and described in order tobest describe the principles of the invention and its practicalapplications, thereby enabling others skilled in the relevant art tounderstand the claimed subject matter, the various embodiments, and thevarious modifications that are suited to the particular usescontemplated.

Although the above Detailed Description describes certain embodimentsand the best mode contemplated, no matter how detailed the above appearsin text, the embodiments can be practiced in many ways. Details of thesystems and methods may vary considerably in their implementationdetails, while still being encompassed by the specification. As notedabove, particular terminology used when describing certain features oraspects of various embodiments should not be taken to imply that theterminology is being redefined herein to be restricted to any specificcharacteristics, features, or aspects of the invention with which thatterminology is associated. In general, the terms used in the followingclaims should not be construed to limit the invention to the specificembodiments disclosed in the specification, unless those terms areexplicitly defined herein. Accordingly, the actual scope of theinvention encompasses not only the disclosed embodiments, but also allequivalent ways of practicing or implementing the embodiments under theclaims.

The language used in the specification has been principally selected forreadability and instructional purposes, and it may not have beenselected to delineate or circumscribe the inventive subject matter. Itis therefore intended that the scope of the invention be limited not bythis Detailed Description, but rather by any claims that issue on anapplication based hereon. Accordingly, the disclosure of variousembodiments is intended to be illustrative, but not limiting, of thescope of the embodiments, which is set forth in the following claims.

What is claimed is:
 1. A method comprising: receiving a HypertextTransfer Protocol (HTTP) call from an application for a resource hostedby a service accessible to a development platform across a network;determining that the service is not a registered client of thedevelopment platform; passing information regarding the HTTP callthrough an authentication process, the information including anidentifier that specifies an origin of the HTTP call; causing an eventlistener to register an event when the authentication process issuccessfully completed; and completing, in response to the event beingregistered, the HTTP call for the resource.
 2. The method of claim 1,wherein the event listener is programmed in Java.
 3. The method of claim1, wherein the resource is data hosted by the external service or aprocess to be executed by the external service.
 4. The method of claim1, wherein the information further includes a description of theresource, a username, or any combination thereof.
 5. The method of claim1, further comprising performing the HTTP call for the resource usingthe information registered by the event listener.
 6. The method of claim1, wherein the HTTP call is completed responsive to the event beingregistered without requiring further input from the application.
 7. Themethod of claim 1, wherein the identifier comprises an organizationidentifier.
 8. The method of claim 1, wherein the identifier comprisesan application identifier.
 9. The method of claim 1, further comprisingstoring the information regarding the HTTP call in a database.
 10. Themethod of claim 1, wherein the identifier identifies the applicationresponsible for placing the HTTP call.
 11. A system comprising: at leastone processor; and a memory communicatively coupled with the at leastone processor, the memory storing instructions, which when executed bythe at least processor perform a method comprising: receiving aHypertext Transfer Protocol (HTTP) call from an application for aresource hosted by a service accessible to a development platform acrossa network; determining that the service is not a registered client ofthe development platform; passing information regarding the HTTP callthrough an authentication process, the information including anidentifier that specifies from where the HTTP call originated; causingan event listener to register an event when the authentication processis successfully completed; and completing, in response to the eventbeing registered, the HTTP call for the resource.
 12. The system ofclaim 11, wherein the event listener is programmed in Java.
 13. Thesystem of claim 11, wherein the resource is data hosted by the externalservice or a process to be executed by the external service.
 14. Thesystem of claim 11, wherein the information further includes adescription of the resource, a username, or any combination thereof. 15.The system of claim 11, wherein the method further comprises performingthe HTTP call for the resource using the information registered by theevent listener.
 16. The system of claim 11, wherein the HTTP call iscompleted responsive to the event being registered without requiringfurther input from the application.
 17. The system of claim 11, whereinthe identifier comprises an organization identifier.
 18. The system ofclaim 11, wherein the identifier comprises an application identifier.19. The system of claim 11, wherein the method further comprises storingthe information regarding the HTTP call in a database.
 20. The system ofclaim 11, wherein the identifier identifies the application responsiblefor placing the HTTP call.